New Data Protection Code on employees’ health records

"Information about people's health is very sensitive and requires effective protection," said David Smith, Assistant Information Commissioner. "This part of the Code addresses issues of real, practical relevance to many employers and those they employ."

"Employers may have alternative ways of meeting their legal requirements under the Data Protection Act when handling information about workers health, but if they do nothing to apply the principles behind the Code they risk breaking the law," he added.

The Code of Practice, the last in a series of four published by the Office of the Information Commissioner, is based on the Data Protection Act of 1998 and should be followed by every employer.

The 1998 legislation places responsibilities on any organisation to process personal data that it holds in a fair and proper way. Failure to do so can amount to a criminal offence.

Although the Code contains guidance and is not legally binding, it provides the benchmarks that the Commissioner will use when deciding whether or not to enforce the Act. Consequently, organisations would be well advised to consider its contents very carefully.

Part four of the Code, published yesterday, addresses the collection and subsequent use of information about a worker's physical or mental health or condition.

It aims to strike a balance between the legitimate expectations of workers that personal information about them will be handled properly and the legitimate interests of employers in deciding how best, within the law, to run their own businesses. It does not impose new legal obligations.

In general, says the Code, employers should only collect health information where it is necessary for health and safety reasons, to prevent discrimination, to satisfy other legal obligations or if each worker has given his or her explicit consent. If consent is to be relied upon, it must be given freely.

In view of the intrusive nature of information relating to health, its collection must always be justified by real benefits. An impact assessment may therefore be necessary.

Only information necessary for the defined purpose should be collected, and it should then be kept securely, and only for as long as absolutely required. Only those people who need to see the information should be authorised to access it.

So far as possible, advises the Code, the collection and interpretation of information about health should be left to medical professionals, although decisions as to the suitability of a particular worker for a particular job are a management responsibility.
In addition workers should be made aware of the health information held about them and the reasons for it.

The Code also highlights specific problems relating to sickness and injury records, occupational health schemes, information from medical examination and testing, drug and alcohol testing and genetic testing.

Supplementary Guidance Notes on the new Code and a small leaflet offering Guidance for Small Businesses were also published by the Information Commissioner's Office yesterday.